Initial commit - 611 cybersecurity skills across all subdomains

This commit is contained in:
mukul975
2026-02-25 10:47:44 +01:00
commit 22a7ab1462
1765 changed files with 280648 additions and 0 deletions
@@ -0,0 +1,35 @@
# Standards and References - Securing Helm Chart Deployments
## NIST SP 800-190
- Section 4.1: Image vulnerabilities and configuration defects
- Section 5.2: Registry security and chart provenance
- Section 5.4: Secure deployment configuration
## CIS Kubernetes Benchmark v1.8
- 5.2.1-5.2.9: Pod Security Standards enforced via chart defaults
- 5.7.3: Apply security context to pods and containers
## SLSA (Supply chain Levels for Software Artifacts)
- Level 1: Documented build process (Helm chart CI)
- Level 2: Source version controlled, signed provenance
- Level 3: Hardened build platform, signed artifacts
- Level 4: Two-party review, hermetic builds
## Helm Security Resources
| Resource | URL |
|----------|-----|
| Helm Security Best Practices | https://helm.sh/docs/chart_best_practices/ |
| Helm Provenance and Integrity | https://helm.sh/docs/topics/provenance/ |
| kube-linter | https://github.com/stackrox/kube-linter |
| checkov Kubernetes checks | https://www.checkov.io/5.Policy%20Index/kubernetes.html |
| helm-secrets plugin | https://github.com/jkroepke/helm-secrets |
## Compliance Mappings
### PCI DSS v4.0
- Req 6.3.1: Security vulnerabilities identified and managed
- Req 6.5.1: Changes controlled by change control processes
### SOC 2
- CC8.1: Change management - Controlled deployment processes
@@ -0,0 +1,29 @@
# Workflow - Securing Helm Chart Deployments
## Phase 1: Chart Development Security
1. Set secure defaults in values.yaml (non-root, read-only fs, resource limits)
2. Add network policy templates
3. Use external secrets references
4. Lint with `helm lint --strict`
## Phase 2: CI Pipeline
1. Render templates: `helm template test ./chart -f values.yaml > rendered.yaml`
2. Lint: `helm lint ./chart --strict`
3. Scan: `kube-linter lint rendered.yaml`
4. Scan: `checkov -f rendered.yaml --framework kubernetes`
5. Sign chart: `helm package ./chart --sign`
## Phase 3: Deployment
1. Verify chart signature: `helm verify chart.tgz`
2. Deploy with production values: `helm install release ./chart -f values-prod.yaml`
3. Verify deployment: `helm test release`
## Phase 4: Post-Deployment
1. Validate security contexts: `kubectl get pods -o jsonpath='{.items[*].spec.securityContext}'`
2. Check network policies applied
3. Verify secrets sourced from external store
## Phase 5: Maintenance
1. Update chart versions in lockfile
2. Rescan after dependency updates
3. Rotate signing keys annually